WebApp Sec mailing list archives

RE: Tying a session to an IP address

From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Mon, 10 May 2004 10:26:49 -0400

Paul,

 I tried this approach a few years ago, and got stymied by the very same logic that you are posing - some web caches 
are loadbalanced and although most of them can be programmed to take advantage of session stickiness, they don't. In 
addition, we have even run into cases of Session-sharing - i.e. two people behind the same proxy get the same sessionID 
- thereby further limiting the application of IP-based controls. Based on the way you are stating this problem, I am 
going to assume that Server-level authentication and/or client certificates are not going to work - it sounds like we 
are talking about a public web site. 

 In the past I have heard people wanting to use the HTTP_X_PROXY_FOR header to determine the internal ip address - but 
that isn't standard across proxies TTBOMK. 

        Bear in mind - if two people are at a Wi-Fi hotspot, it is not inconceivable that one can intercept the other's 
cookie and then use it to authenticate himself because he is coming from the same proxy. 

HTH,
--Yonah

-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk]
Sent: Monday, May 10, 2004 9:14 AM
To: webappsec () securityfocus com
Subject: Tying a session to an IP address


Hi,

I'm interested in the merits of restricting a session to an IP address. 
I realise this isn't great security as often many users will appear to 
come from the same IP address (NAT, proxies, etc.) However, if you 
consider the case where an attacker uses an XSS vulnerability to steal 
the session ID, then the IP address restriction raises the bar 
considerably for an arbitrary remote attacker to exploit this. I'm 
worried that the IP address restriction wouldn't work for all users - 
e.g. if their ISP uses load-balanced web caches. Does anyone know how 
common such arrangements are in practice? Perhaps something to be done 
then is just check the top 16 bits of the IP address. This is likely to 
work for all such network arrangements and still raises the bar a lot 
for remote attacks.

Does anyone here already restrict sessions by IP address?

Regards,

Paul

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk

Current thread:

Re: Tying a session to an IP address, (continued)
- - Re: Tying a session to an IP address Rogan Dawes (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
  - Re: Tying a session to an IP address T.J. (May 10)
  - Re: Tying a session to an IP address Adam Tuliper (May 10)
    - RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)
  - Re: Tying a session to an IP address exon (May 10)
  - Re: Tying a session to an IP address Mark Foster (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Arseneault (May 10)
- RE: Tying a session to an IP address Toni Heinonen (May 10)
  - Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Martin (May 11)